Volt Typhoon

Definition

A Chinese state-sponsored APT group focused on pre-positioning within US critical infrastructure — including power grids, water systems, and communications networks — to enable potential disruptive or destructive cyberattacks in the event of a geopolitical conflict, particularly over Taiwan.

Technical Details

Volt Typhoon (also known as Bronze Silhouette and Vanguard Panda) was publicly attributed by the US government, Microsoft, and Five Eyes intelligence partners in May 2023. Unlike typical espionage-focused APTs, Volt Typhoon's primary mission appears to be pre-positioning for potential future disruption rather than immediate intelligence collection. CISA, NSA, and FBI assess with high confidence that the group is positioning itself to disrupt US critical infrastructure in the event of a military conflict with China, particularly a Taiwan scenario. The group's defining technical characteristic is an almost exclusive reliance on living-off-the-land (LotL) techniques. Volt Typhoon uses built-in Windows tools — WMIC, PowerShell, ntdsutil, netsh, and others — to conduct reconnaissance, move laterally, and exfiltrate data, generating minimal forensic artifacts. The group frequently uses compromised small office/home office (SOHO) routers (Netgear, Cisco RV series, ASUS, D-Link, Fortinet) as operational relay infrastructure, routing their traffic through these devices to blend in with legitimate network traffic and complicate attribution. Targeted sectors include communications, energy, transportation, water and wastewater systems, and maritime ports — all sectors whose disruption would have cascading effects on military mobilization and civilian resilience. The group has demonstrated the ability to persist in OT-adjacent IT environments for extended periods, sometimes years, without detection. In some cases, they accessed systems controlling physical infrastructure processes. A joint advisory in February 2024 warned that Volt Typhoon had maintained access in some victim networks for at least five years. The SOHO router botnet used by Volt Typhoon — sometimes called KV Botnet — was disrupted by a US DOJ court-authorized operation in January 2024, which deleted the malware from hundreds of compromised routers. However, analysts noted the group would likely reconstitute relay infrastructure. The campaign prompted new CISA guidance on OT/ICS security and hardening guidance for SOHO devices.

Practical Usage

Security teams at organizations in critical infrastructure sectors face a particularly difficult challenge with Volt Typhoon because the group's TTPs are designed to be nearly invisible within normal network telemetry. The group's LotL approach means EDR tools that focus on malware signatures will largely miss their activity. Detection requires behavioral analytics focused on anomalous use of built-in Windows utilities, unusual authentication patterns (particularly off-hours access using valid credentials), and unexpected outbound connections from OT-adjacent systems to external IP addresses. Network segmentation is the most important defensive control against this threat. OT and ICS environments should have strict, monitored network boundaries with ICS-specific firewall rules and protocol filtering. Any IT system that has any connectivity path — even indirect — to operational technology should be treated as a high-value target and monitored accordingly. Asset inventory for OT environments is foundational: you cannot detect anomalous behavior from assets you don't know exist. For organizations with SOHO routers anywhere in their supply chain or remote access infrastructure, Volt Typhoon's use of compromised consumer routers as relay nodes means that IP reputation blocking is insufficient — traffic from these devices appears to originate from legitimate business IP space. Zero-trust network access (ZTNA) approaches that authenticate users and devices regardless of network location provide better protection than perimeter-based controls that trust traffic from 'known' IP ranges.

Examples

• CISA and FBI revealed in February 2024 that Volt Typhoon had maintained persistent access in the IT networks of a US water utility for approximately five years without triggering any alerts.
• The DOJ disrupted the KV Botnet in January 2024, remotely deleting Volt Typhoon malware from hundreds of compromised Cisco and Netgear SOHO routers that were being used to proxy the group's attack traffic.
• Volt Typhoon compromised a Hawaii-based port authority's network — a strategically significant target given the port's role in supporting US Navy Pacific Fleet logistics.

Related Terms